- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Savedsearches logevent action: how to ensure all alerts are captured?
![koshyk koshyk](https://community.splunk.com/legacyfs/online/avatars/171489.jpg)
folks, we had to do summary indexing of alerts created by savedsearches. This has been accomplished by logevent (Though its NOT well documented in splunk docs). I've used https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTsearch to setup and the tokens are all working good.
The settings are like below
logevent.param.index: test
logevent.param.sourcetype: my_summary_index_st
logevent.param.event: $name$ $result.*$
BUT , only the FIRST alert is captured by the $result.*$ token.
Any idea how to ensure the entire events from the alert are captured? (`$results.*$` is NOT working)
PS: I've put a feedback to the docs team to update all the parameters, but the docs are lacking a lot compared to the alert functionalities
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Combine your results into a single row
P.S. It is documented in a number of places that $result.*$ only gives access to the first result row in the set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
found out my scheduled logevent reports (saved searches) were only inserting one row.
I had to open search then save as alert and trigger on "each event"
This should be enhancement request / well documented 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![koshyk koshyk](https://community.splunk.com/legacyfs/online/avatars/171489.jpg)
Unfortunately the savedsearch logic is not within our control but by client. Also it may impact other elements like webhook/emails etc. if the manipulation happens at search level.
![](/skins/images/FE4825B2128CA5F641629E007E333890/responsive_peak/images/icon_anonymous_message.png)